Being your own data security expert in the absence of 2FA

By Scott McKinnon, Field CISO EMEA at VMware
VMware’s Scott McKinnon explains how social media users can be responsible for their online security, using unique passwords and caution with interactions

More than 4.74 billion people worldwide are social media users, according to recent data from Hootsuite. As a source of news and entertainment, its enormous benefits are accessible and essential to our everyday lives, which can overshadow its pitfalls. 

As we’ve become more reliant on the internet, people put their trust in digital services, whether misplaced or not, particularly social media. However, consumers who rely solely on social platform providers to protect them against cyber criminals are, perhaps, playing with fate. User experience is changing as social media platforms restructure their business models to grow subscription plans. The full impact of these new revenue drivers is yet to be seen, but the security implications are undeniable. 

Due to the alleged increase in bad actor exploitation of two factor authentication (2FA) using text, or SMS, Twitter now limits its SMS-based 2FA services to ‘Twitter Blue’ users only. While it’s reassuring that these platforms are in tune with the attack landscape, this change limits access to full security for those who are without the means or are unwilling to pay for it. Withdrawing access to 2FA from non-subscribers highlights one key change for the masses - we must all become our own security experts. 

Peeling back the layers of authentication  

Twitter’s decision has come under fire for its security implications. SMS-based 2FA is often hailed as an effective protective barrier to hacker attempts, as it requires a user’s login to be authenticated via a third-party application that we all have access to – our texts. Critics express concern that while the decision to withhold SMS-based 2FA for verified users will only benefit the business by generating consistent revenue, the majority of social media users are no longer guaranteed the peace of mind of encrypted security.  

For users who have not opted to pay for the premium perks, having a more secure online experience remains a priority. Social media users must do it for themselves, paying closer attention to their account activity, taking more accountability in their own data privacy, and remaining vigilant of suspicious activity by taking additional measures.    

Friend or foe? 

A common way for hackers to steal identities is by creating convincingly fake profiles to gain access to personal networks. Unfortunately for many, their latest friend request may look authentic, but it could be a hacker posing as a connection they may or may not recognise. In fact, Lloyds Bank has warned that impersonation fraud on Instagram is on the rise, having increased by 155% from 2020 to 2021, according to This is Money. The average scam resulted in a loss of £336 per victim. Alternatively, hackers are known to pose as a friend having already compromised their account, to send you false links and alerts embedded with malware. By clicking through, you have enabled a hack on your account. 

To avoid falling victim in the first place, users must use caution in their digital interactions. My advice is to trust your instincts first and foremost. If something is suspicious, ensure you verify the sender’s identity and resource’s destination before engaging, such as clicking on a video link, and avoid accepting connections from unknown accounts. 

Designing your fortress 

Hackers also know most people use the same password again and again, which opens you up to other accounts becoming compromised – including your bank account. However, those who use different passwords, introduce symbols and numbers – and not simply your birthdate – across their various sites and apps are much less likely to fall victim to data theft than those who copy and paste their passwords for the sake of ease. 

An alternative to creating unique passwords is using a third-party passcode manager. These services generate and store unique and complex passwords for each account with encryption. They often come as a package deal with a mobile device such as Apple Keychain and Google Password Manager or are available for download in app stores. 

While these are very simple approaches, they can mitigate the risks of doing nothing if your SMS-based 2FA is withdrawn and are just good security hygiene. 

Power in your hands 

When we think social media, we think entertainment, and not security. However, we cannot afford to take a back seat to our online security with data key to cybercrime. 

Users are more than ever responsible for their first line of defence.


Featured Articles

Atos to deliver critical IT services to UEFA EURO 2024

IT service and consulting company Atos will deliver key on-site and remote IT services for the UEFA EURO 2024 taking place in Germany in June

Orange cyber report: highest number of victims ever recorded

Orange Cyberdefense's Security Navigator 2024 reveals the highest number of cyber extortion victims recorded, with an increase of 46% worldwide in 2023

ChatGPT turns one: How AI chatbot has changed the tech world

One year on from its launch, OpenAI's groundbreaking language model ChatGPT continues to transform and evolve with ever-increasing capabilities

AWS announces AI tool Amazon Q to reimagine future of work

AI & Machine Learning

Deloitte & IBM: Data solutions driving tech sustainability

Data & Data Analytics

Carlsberg Group is using IoT to make data-driven decisions

Data & Data Analytics